No standing for speculative harm in data breach – Fourth Circuit

Beck v. McDonald. At a VA hospital, a laptop holding 7,400 patients personal information was secured to a medical device by only a strip of Velcro. Unsurprisingly, it was stolen. Two veterans sued the VA over the compromise of their personal information.

The veterans sued for violations of the Privacy Act of 1974 and the Administrative Procedures Act on behalf of a putative class of 7,400; defendants moved to dismiss for lack of subject matter jurisdiction or, alternatively, failure to state a claim. The district court granted the motion to dismiss and, alternatively, ruled that defendants were entitled to summary judgment because (in part) the plaintiffs had not suffered any actual damages as required by the Privacy Act.

How do you establish harm sufficient for standing in a privacy breach case anyway?

The Fourth Circuit looked to the U.S. Supreme Court cases of Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1155 (2013) and to answer that question. Here is the Circuit’s summary of that case:

The Court recently explored the “threatened injury” theory of Article III standing in Clapper v. Amnesty International USA. That case involved a constitutional challenge to section 1881a of the Foreign Intelligence Surveillance Act of 1978 (“FISA”), which, “upon the issuance of an order from the Foreign Intelligence Surveillance Court,” authorizes “for a period of up to 1 year” the Attorney General and the Director of National Intelligence to target for surveillance “persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” 133 S. Ct. at 1144 (quoting 50 U.S.C. § 1881a).

The respondents—attorneys and human-rights, labor, legal, and media organizations whose work required them to communicate via telephone and e-mail with individuals located abroad-—sought a declaration that the provision was facially unconstitutional and a permanent injunction against its use. Id. at 1146. The respondents alleged two injuries: (1) that § 1881a curtailed their ability to “locate witnesses, cultivate sources, obtain information, and communicate confidential information,” and (2) that they had implemented “costly and burdensome measures,” including traveling abroad to have in-person conversations, to protect the confidentiality of their sensitive communications from FISA surveillance. Id. at 1145–46.

The district court ruled that the respondents lacked standing. Id. at 1146. On appeal, the Second Circuit reversed, holding that the “objectively reasonable likelihood” that the respondents’ communications would be intercepted at some future time and their allegation that they suffered economic and professional harm as a result were sufficient to confer standing. Id.

The Supreme Court rejected the Second Circuit’s use of an “objectively reasonable likelihood” standard for Article III standing as inconsistent with the Court’s long-established requirement that “threatened injury must be certainly impending to constitute injury in fact.” Id. at 1147–48 (listing cases). Addressing first the respondents’ allegation that the Government would target their private communications, the Court catalogued the series of hypothetical events that would have to occur to establish an “imminent” injury-in-fact: namely, the speculative possibility that the Government, pursuant to § 1881a’s “many safeguards,” would successfully target and intercept the communications of those foreigners with whom the respondents worked. Id. at 1148–50. The respondents’ theory of standing, premised on this “highly attenuated chain of possibilities” could not “satisfy the requirement that threatened injury must be certainly impending.” Id. at 1148.

The respondents’ second theory of injury, premised on the “costly and burdensome” measures they had undertaken to protect the confidentiality of their communications, also failed to confer standing. Id. at 1150–51. The Court reasoned that the respondents’ attempts to minimize e-mail and phone conversations, to speak “in generalities rather than specifics,” and to travel abroad to have in-person conversations, were all costs “incurred in response to a speculative threat.” Id. at 1151. The Court declined to “water[] down the fundamental requirements of Article III” by allowing respondents to “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Id.

Clapper’s discussion of when a threatened injury constitutes an Article III injury in-fact is controlling here.

This decision makes clear that, here in the Fourth Circuit, fear of harm from future identity theft is not sufficient to create standing. Buying credit monitoring services or taking other steps to mitigate speculative theft does not change that.

The Sixth, Seventh and Ninth circuits allow this speculative standing. The First and Third Circuits, and now the Fourth, reject it. However, the Fourth Circuit works to differentiate the underlying cases in the Sixth, Seventh and Ninth circuit cases saying that those cases contained “allegations that sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent” including actual attempted identity theft and sophisticated hacking. By contrast, here, the laptop was physically stolen and there were no subsequent theft attempts.

Indeed, for the Plaintiffs to suffer the harm of identity theft that they fear, we must engage with the same “attenuated chain of possibilities” rejected by the Court in Clapper.

While at first blush this may seem like a boon to privacy and class action defense attorneys – and it may be – the Circuit’s own explanation will make the ruling highly distinguishable from any case in which there is actual hacking.